I lead WMF's Product Safety and Integrity team. We work on things like bot detection, temporary accounts, two-factor authentication, and overall product security and anti-abuse work.
@konklone is my older personal account, and shouldn't be tagged into things related to my WMF work.
If this is chosen we may still want a technical measure preventing them from remove 2FA from users with advanced right.
Personally, I'd rather we put effort into eliminating port 80.
Just flagging that we are tracking this bug - thanks for documenting it here. Our initial team discussion about it suggests this is an unintended byproduct of running enwiki in 100% passive mode, and that it will be addressed when we move to 99.9% passive mode (which is scheduled for tomorrow morning, Monday).
Thanks @Clement_Goubert - could you give some more detail about the kind of security issues your work will need access to?
Yay for deleting code!!
I do think both is the correct answer - I posted in https://phabricator.wikimedia.org/T406281 with some thoughts there.
To be clear, I don't mean implementing all of those things as part of this ticket. I mean that I assume that it might make sense to create a post-login point that checks a variety of conditions that might trigger an interstitial, so that it's pretty straightforward to add those other sorts of examples going forward.
@Peter Could you put some more rationale on the ticket here, about why work related to IP blocking of Beta cluster involves needing access to security tickets on phabricator?
Yes, this change makes sense to me from a product and user safety perspective.
Good points on the accordion - I was not thinking at all about other languages. I defer to what you think best. Among the above visual proposals, I like the accordion version, and the rightmost version (the smallest text) the most.
For the message, I would remove the "Why do I need an account?" subheader and expander/collapser, and say something in active voice. (Also, we don't like to say "anonymous editing", as registering a user account is, if anything, more privacy-protective.)
I think this would also be an opportunity to have a UWER-focused message to add as many options/passkeys as possible.
@Taylor As I said in my reply on https://www.mediawiki.org/wiki/Project:Support_desk/Archive_23#Obligatory_security_rules_that_users_cannot_decide - we do understand that email checks add real imposition for users who routinely clear cookies and change IPs. To clear up some things I think you may not understand about the two options I described there (keeping a cookie, and 2FA):
To follow up, and with apologies for the conflicting comments in the two tasks, the policy is as I described above - the group is not open for applications, and has no guarantees associated with it. I'll add a comment to the other task to clarify there as well.
To note here, hCaptcha is now running in production for Special:CreateAccount on English Wikipedia, test2wiki, and several other production wikis. We encourage folks on this thread interested in improving accessibility to try it out. For example, we'd be interested in hearing what the screen reader experience is like. test2wiki is likely the most appropriate place for testing that actually creates new accounts.
To note here, hCaptcha is now running in production for Special:CreateAccount on English Wikipedia, test2wiki, and several other production wikis. We encourage folks on this thread interested in improving accessibility to try it out. For example, we'd be interested in hearing what the screen reader experience is like. test2wiki is likely the most appropriate place for testing that actually creates new accounts.
Just to mention here as well - https://phabricator.wikimedia.org/T407167 is resolved, since we have reverted back to 10 user codes. The goal had been to simplify the recovery code experience, and we relaxed the reauth timer to go along with these changes to reduce lockout risk, but this just wasn't a good enough solution. We'll be more cautious before adjusting this again.
We had briefly discussed this last quarter, and I had suggested 100. That's still my suggestion - something impractical for normal usage to reach, but still a normal system operations cap.
@RheingoldRiver I am sorry to give you a disappointing answer here, but the acl*release_security_pre_announce group is not open for applications. It is extremely small, rarely used (just once so far), and invite-only. It does not have any SLAs/SLOs -- we make no promises around it, and it may or may not ever become a formal process. We could make this more clear in the description for the group, so we will do that to avoid mismanaging expectations.
@sbassett Yep.
@sbassett Thanks - I spoke with @Samwalton9-WMF (who we recently granted access to), and confirmed that @jsn.sherman is the tech lead for that project and has a similar need for access as Sam does. Thumbs up from me.
I like this. @AAlhazwani-WMF or @KColeman-WMF what do you think?
Yes, I can see the dashboards I was intending to now! Thank you very much for everyone who helped resolve my issue, and apologies for my difficulty understanding some of the finer points around our access management.
@Aklapper This: https://www.mediawiki.org/wiki/Product_Analytics/Superset_Access#Requesting_access Specifically, the this Phabricator form link.
I am not actually certain if I have shell access or not. My account at https://idm.wikimedia.org says my shell username is ericmill, but I don't recall specifically requesting shell access.
This is part of an initiative to make our on-wiki 2FA system more accessible and useful for a broader, less technical audience than is currently able/required to use 2FA today. As part of that, we're trying to remove as much technical nomenclature (including protocol names) from the copy and UX of the site. The users who would recognize the terms TOTP and WebAuthn are also the least likely to need help with this in the first place, so I think we should proceed with Authenticator app and Security key.
That initiative was just about 2FA access, not retroactively re-evaluating anything else, so I think we should proceed and re-enable.
@EMill-WMF will decide that based on T401742.
To be clear, the main goal here is to remove the risk of unexpected changes (including compromise) of the part of the JavaScript that necessarily has access to the parent document context before establishing the iframes that the rest of the code is then loaded into.
Let's focus conversation on the most technically reasonable way to reflect a user's choice to remove lat/long (and other data extracted from the EXIF) at upload time from the form, and reflect those choices in the EXIF data of the resulting publicly available image.
@karapayneWMDE Just being a developer on a significant project isn't enough to grant full security issue access, which cuts much wider than any one project. (To be clear, this is the position we're maintaining for WMF as well.) If you're experiencing issues in your work, feel free to reach out separately to discuss it.
This is clearly nice, though I think it would be bearable for this feature to show up post-launch if we needed to descope something.
What about (in addition) redirecting https://en.wikipedia.org/wiki/Special:Manage_Two-factor_authentication (and other non-auth domain URLs to this same page on other wikis) to the auth domain version of it at https://auth.wikimedia.org/wiki/Special:Manage_Two-factor_authentication ?
From the Security side, we're good to go on this - @Samwalton9 leads product development on moderator tools that a heavy overlap with security and privacy efforts.
From the Security side, we're good to go on this - @MMoss_WMF works closely with us on security and privacy issues and may need access to tickets on a regular basis to support their work.
We'll also need significantly more context to support approval than is present on this ticket. Please include a more detailed rationale (while remembering that this is a public ticket).
Before this can be approved, I would like some more context on this ticket to support the request. What security ticket was fielded? Why do we think it will be so recurring that manual adding will be a big hassle?
I believe we should always prioritize WebAuthn. If a user has a phishing-resistant option registered, we should be encouraging them to use it -- and also making it more noticeable if they actually do end up at a phishing site (which will not be able to offer a working WebAuthn UI). This will be especially important for users with extended rights and WMF staff that may be targeted for phishing. We can make it pretty easy for the user to select to use an alternative method to log in. I'm open to user feedback, and/or seeing it show up in analytics that users are switching to alternative methods more than we might expect and which seems high-friction, but I think we should start from a posture of WebAuthn-first.
Thank you, @Jly !
+1 as well - good solution.
It would good to see if there are precise criteria that we could identify and use to separate accounts into tiers of how likely/known they are to be good-faith accounts. Ideally we would get enough confidence to handle those accounts programmatically differently during authentication, recovery, moderation, and other functions in the wikis.
I think something got lost in the shuffle here - the first bullet is implying they might get locked out during EmailAuth (which is only true for accounts with emails that remain unconfirmed), but where we started is saying that if they lose account access, we cannot recover them (which is true for both email-less accounts and accounts with unconfirmed emails. The first bullet implies that the user won't be able to login from an unrecognized device or location as a matter of policy unless they have a confirmed email, but that is not our policy.
Someone may register with a valid email owned by someone else, and it would be spammy to send those notifications periodically without a way to opt-out from them.
I've enabled MFA.